You can find info here:
http://ossec-docs.readthedocs.org/en/latest/syntax/head_ossec_config.active-response.html
If unsure I suggest to disable it at /var/ossec/etc/ossec.conf
<active-response>
<disabled>yes</disabled>
</active-response>
On Tue, Nov 10, 2015 at 1:22 AM, frwa onto <[email protected]> wrote:
> Hi Ryan,
> I am not too good in tuning up my active response or rules.
> Any tips on how to go about it?
>
>
> On Tue, Nov 10, 2015 at 1:17 PM, Ryan Schulze <[email protected]> wrote:
>
>> Sounds like you may want to look into fine tuning your active response
>> and/or rules.
>>
>> On 11/9/2015 10:11 PM, frwa onto wrote:
>>
>> Hi Santiago,
>> I am just running as standalone so its not a manager
>> or agent. I have another machine for instance I am using the older ossec
>> 2.7.1 in that one I have tried say I got my phpymadmin and when I start
>> browsing huge data ossec will block me an only after some time I can login
>> here is the active response log as below.
>>
>> Tue Nov 10 11:48:12 MYT 2015
>> /var/ossec/active-response/bin/firewall-drop.sh add - 10.212.134.200
>> 1447127292.12356 31106
>> Tue Nov 10 11:48:12 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
>> add - 10.212.134.200 1447127292.12356 31106
>> Tue Nov 10 11:58:42 MYT 2015 /var/ossec/active-response/bin/host-deny.sh
>> delete - 10.212.134.200 1447127292.12356 31106
>> Tue Nov 10 11:58:42 MYT 2015
>> /var/ossec/active-response/bin/firewall-drop.sh delete - 10.212.134.200
>> 1447127292.12356 31106
>>
>> I dont know what trigger is exactly but I know due to my browsing of huge
>> data and also how to overcome this issue? In my older version I saw this
>> error too
>> ossec-execd: INFO: Active response command not present:
>> '/var/ossec/active-response/bin/restart-ossec.cmd'. Not using it on this
>> system.
>>
>> This is my worry on the new machine using 2.8.1 the app might get block
>> from accessing the data.
>>
>> On Tuesday, November 10, 2015 at 9:18:45 AM UTC+8, Santiago Bassett
>> wrote:
>>>
>>> Are you running an agent or the manager? I don't think OSSEC would block
>>> access to your mysql db.
>>>
>>> On Mon, Nov 9, 2015 at 8:19 AM, frwa onto <[email protected]> wrote:
>>>
>>>> Hi,
>>>> I have centos server. I have managed to install ossec 2.8.1. It
>>>> mainly runs a socket programming app. For every instance of a connection it
>>>> will receive data and insert into mysql db. What I worried in what scenario
>>>> will it block the access to this local mysql db as I can see there some
>>>> rules for mysql? Sorry very new to these.
>>>> --
>>>>
>>>> ---
>>>> You received this message because you are subscribed to the Google
>>>> Groups "ossec-list" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>>
>>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/ossec-list/rdsEIi60ciM/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected].
>> For more options, visit https://groups.google.com/d/optout.
>>
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
